What HIPAA is and why buyers ask for it
HIPAA — the Health Insurance Portability and Accountability Act — is the US law that governs how protected health information (PHI) is handled, and it is enforced by the Department of Health and Human Services. It applies not only to “covered entities” such as health plans, providers and clearinghouses, but also to their business associates: the vendors that handle PHI on their behalf, including many SaaS, hosting and IT companies.
That second category is why HIPAA matters to so many technology businesses. If you sell into US healthcare, your customers will require you to sign a Business Associate Agreement and to evidence that you protect PHI to HIPAA’s standards. As with several US privacy regimes, HIPAA is regulatory rather than a certifiable standard — there is no single official “HIPAA certificate” — so ABS delivers it as a readiness and gap assessment within our Cyber Security work, and vendors frequently pair it with a SOC 2 report to give buyers independent assurance.
What the assessment covers
A HIPAA assessment reviews your handling of PHI against the law’s main rules:
- Privacy Rule — how PHI in any form may be used and disclosed, and the rights individuals have over it
- Security Rule — the administrative, physical and technical safeguards required for electronic PHI (ePHI)
- Breach Notification Rule — what must happen, and how quickly, when PHI is exposed
A central element is the risk analysis the Security Rule requires: a structured assessment of the risks to the ePHI you hold. ABS maps your current safeguards against these requirements, identifies gaps, and helps you prioritise remediation.
Typical timeline
A HIPAA readiness and gap assessment typically takes 8–12 weeks, depending on the size of your organisation and the systems that touch PHI. Closing the gaps then runs on a timeline you control. Each engagement begins with a fixed-price scoping call and a proposal within 24 hours.
Common questions
Is there an official HIPAA certificate?
No. There is no single government-issued HIPAA certification — compliance is demonstrated through documented safeguards, policies and a required risk analysis. Many vendors to healthcare also use a SOC 2 report to evidence their controls to buyers, because it provides an independent, recognised assurance report.
Who has to comply with HIPAA?
Two groups: covered entities (health plans, healthcare providers and clearinghouses) and their business associates — vendors that create, receive, maintain or transmit protected health information on a covered entity’s behalf, which includes many SaaS, hosting and IT providers.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule governs how PHI in any form may be used and disclosed, and sets out individuals’ rights over their data. The Security Rule sets administrative, physical and technical safeguards specifically for electronic PHI. A third rule, Breach Notification, governs what happens when PHI is exposed.
What are the penalties for non-compliance?
HIPAA carries substantial tiered civil monetary penalties that scale with the degree of culpability, and criminal penalties are possible for wilful violations. Beyond enforcement, a breach of PHI carries serious reputational and contractual consequences with healthcare clients.
